September 10, 2020

Privacy Twilight Zone: Returning to Work in the Age of COVID-19

Joan Wrabetz, John Isaza


  • Schools and businesses must return to work in a thoughtful manner to avoid liability down the line.
  • What are some of the privacy, employment law, and record retention issues that must be considered?

As organizations begin to reintroduce people back into workplaces and schools during the COVID-19 pandemic, they face a unique set of privacy issues that arise from the use of screening processes and technologies. Organizations must design and implement new procedures to protect the health and safety of workers, students, and staff, but these procedures, the technology deployed to implement them, and the data that is collected in support of them can run afoul of the legal protections set forth in privacy and security laws, not to mention labor and employment laws. The laws that impact each organization will also vary depending on whether the organization is a government or a private entity and in which jurisdiction(s) the organization operates.

Generally, bringing people back to work and school involves implementing some combination of the following strategies: (1) written rules and procedures to be followed, (2) prescreening to determine who can return to work or school, (3) symptom tracking and health screening on an ongoing basis, and (4) contact tracing and quarantining if exposure to COVID-19 is suspected. Each of these strategies creates a series of issues that must be addressed.

Although written procedures must be consistent with changing public health guidelines, they still might not be enforceable. For example, many public schools have created written procedures for athletes who are returning to their sports at the high-school and college levels. Although these procedures are designed to protect and ensure safety for athletes, they often cross the boundary between encouraging athletes to follow the rules and asserting that athletes have assumed the risks of participating—constituting a waiver—with questionable enforceability.

Closely related to privacy concerns is the fact that prescreening of employees to determine whether they can return to work may violate employment laws. The EEOC has already asserted that the use of COVID-19 antibody tests as a vehicle for prescreening employees to determine whether they can return to work violates the Americans with Disabilities Act’s “job related and consistent with business necessity” standard for medical examinations or inquiries for current employees because CDC guidelines provide that antibody test results “should not be used to make decisions about returning persons to the workplace.”

Symptom tracking and health screening raise a number of privacy issues, from what questions can be asked for screening, to how the data that is collected should be treated. The EEOC guidance for covered employers specifies that employers may ask employees whether they are exhibiting symptoms associated with COVID-19, consistent with current CDC-specified symptoms and guidelines, or those of other public health authorities and reputable medical sources. Employers may also take the body temperature of employees during the pandemic consistent with recommendations of the CDC and state and local health authorities. All information collected must be treated as an employee medical record, with the associated implications for protecting the privacy of that data and limits on maintaining and sharing such information. It is important to note that employers are allowed to share medical information with public health agencies.

The use of contact tracing for determining whether a person has been exposed to COVID-19, or has exposed others, raises a plethora of new issues. Contact tracing can be performed manually, but is often implemented through mobile applications that communicate with each other. The Google/Apple partnership, for example, has developed a common application programming interface (API) that will be available on all mobile phones that run either the Android or iOS operating systems. This API allows public health agencies and medical organizations to develop contact tracing applications. The underlying technology enables phones to contact each other when they are in proximity and share anonymous information that can later be used to develop contact lists if a person is diagnosed with COVID-19. This technology is subject to a number of privacy and security concerns, including device tracking to identify and locate users, sharing of personally identifiable and confidential health information, and use of that data for other purposes by either the technology companies or public health organizations. These applications must also be deployed carefully by employers to prevent labor law issues associated with surveillance outside of work hours. Existing privacy laws are still in effect for the data collected as part of contact tracing, and some states are weighing in to create new privacy laws to specifically address contact tracing.

Finally, the collection of data also creates record retention issues. Organizations may be tasked with keeping certain records to establish compliance with privacy mandates or to otherwise address broader regulatory concerns, particularly for human resources records. Add to that the fact that some data, even if it does not rise to the level of a record, may need to be retained for statistical or other metrics measurements. These data retention issues must be carefully balanced against strict privacy regulations at the national and international levels. To that end, litigation discovery concerns could also rear their ugly heads. This is where processes and systems for record retention and disposition are most critical.

On the whole, organizations face a difficult set of privacy issues arising from the use of screening processes and technologies to reintroduce workers and students to workplaces and schools during the COVID-19 pandemic. The landscape of legal privacy issues is going to continue to change as CDC guidance changes over time and as more governments pass new legislation to specifically address COVID-19-related challenges.

* Joan Wrabetz is a J.D. candidate, 2021, at Santa Clara University. John Isaza, Esq. is Vice President of Information Governance Solutions at Access Corp in Boston. Mr. Isaza can be reached at

    For more business law content, visit


    Joan Wrabetz

    COO, Fyusion, Inc.

    Joan Wrabetz is the Chief Operating Officer of Fyusion, Inc., a leader in AI-driven 3D imaging.  She is also a law student at Santa Clara University, specializing in privacy and startup law.  She is CIPP/US certified and has worked as a law clerk in Rimon’s Palo Alto Office as part of the Corporate practice group.  Prior to embarking on her law school journey, Joan spent over 30 years in C-level roles in the technology industry, in addition to co-founding several startup companies.   

    John Isaza

    CEO, Information Governance Solutions

    John Isaza is a California-based attorney, CEO of Information Governance Solutions (an Access Company) featuring Virgo™, a cloud-based software for records information management and global research, and partner at Rimon, where he chairs the records management and information governance practice. Mr. Isaza is one of the world’s foremost experts in the field. He has developed information governance and records retention programs for some of the most highly regulated Global 1000 companies. He is co-author of 7 Steps for Legal Holds of ESI & Other Documents, a contributing author to the ABA’s Internet Law for the Business Lawyer, 2nd Edition, as well as editor-in-chief and co-author of the recently released Handbook on Global Social Media Law for Business Lawyers. Mr. Isaza is past co-chair of the ABA’s Social Media Subcommittee, a fellow of ARMA International, and current co-chair of the ABA’s Consumer Privacy and Data Analytics Subcommittee.